EQUILOR BEFEKTETÉSI ZRT. S PRELIMINARY INFORMATION ON DATA PROTECTION

Transcription

1 EQUILOR BEFEKTETÉSI ZRT. S PRELIMINARY INFORMATION ON DATA PROTECTION EQUILOR Befektetési Zártkörűen Működő Részvénytársaság (short company name: EQUILOR Zrt.; registered office: H-1037 Budapest, Montevideo utca 2/C.; company registration number: ; hereinafter: EQUILOR, or data controller) as data controller, based on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: DGPR), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act), and taking into consideration the law enforcement practices of the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority), hereby informs the data subjects (hereinafter collectively referred to as: data subject) about the management of their personal data as follows. Pursuant to Paragraph 1 of Article 12 of the GDPR, the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, [ ]. Pursuant to the Privacy Act, Before processing operations are carried out the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, if the data subject s personal data is processed in accordance with Subsection (5) of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data subject s rights and remedies. [Privacy Act, Section 20, paragraph (2)]. For the purpose of this information: 1. personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2. processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available in other ways, alignment or combination, restriction, erasure or destruction; 3. controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 4. processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 5. recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; 6. third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; This Preliminary Information on Data Protection provides information on the facts that involve all or most data management activities by EQUILOR collectively in the General information section. The Special information section provides information on all facts regarding each data management activity that is unique compared to the ones described in the General information section or that is not mentioned in the General information section. Upon any deviations between the General information section and the Special information section, provisions of the Special information section shall prevail. 1/13

2 1. THE PERSON ENTITLED TO PROCESS I. GENERAL INFORMATION 1.1. EQUILOR and - if multiple persons are entitled to process - other persons specified in the Special information section are entitled to act as controllers. 2. DEFINITION OF PERSONS ENTITLED TO PROCESS 2.1. A natural or legal person or an organisation without legal personality, assigned by EQUILOR as contoller, performing processing-related technical tasks based on a written contract with EQUILOR If it is not specified otherwise in the Special information section for specific data management activities, in respect of the management of the personal data of the data subjects, a) Iron Mountain Kft. (registered office: H-1093 Budapest, Czuczor utca 10. IV. em.), b) Dorsum Informatikai Zrt. (registered office: H Budapest, Logodi utca 5-7.), c) Saxo Bank A/S (registered office: Denmark, DK-2900 Hellerup, Philips Heymans Allé 15), d) Regatta Project Kft. (registered office: H-1046 Budapest, Lahner György út 3/B.), e) Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6.), and f) ARBES Technologies, s.r.o. (registered office: Praha 5, Štefánikova č.p. 248/32, PSČ ) g) Hibridlevél Korlátolt Felelősségű Társaság (registered office: H-2400 Dunaújváros, Verebély utca 8.). h) HELIKON Utazási Iroda Korlátolt Felelősségű Társaság (registered office: H-8360 Keszthely, Erzsébet királyné útja 21.) i) BésG Számviteli Kft. (registered office: H-1196 Budapest, Áchim András utca 77.) perform activities that, pursuant to the GDPR and the Privacy Act, may be regarded as processing EQUILOR reserves the right to engage further processors in addition to the ones specified above, as needed. EQUILOR shall inform the data subject about the identity of any other processors engaged subsequent to the initial registration of the data processing, at latest when the data management is started. 3. LEGAL BASES FOR PROCESSING Prior to the start of processing, EQUILOR shall notify the data subject of the legal basis for the relevant processing in the Special information section of this document, which may be the following: a) the data subject has given their consent to the processing of his personal data for one or more specific purposes; b) processing is required for the performance of a contract where the data subject is one of the parties, or is necessary for taking the steps carried out for the request of the data subject prior to the execution of the contract; c) processing is required for the fulfilment of a legal obligation imposed on the controller; d) processing is required for the protection of the fundamental interests of the data subject or another natural person; e) processing is of public interest, or is required for the fulfilment of the task performed in the framework of exercising the official powers vested on the controller; f) processing is necessary to enforce the legitimate interests of the controller or a third party, except if interests or fundamental rights and freedoms of the data subject that require the protection of personal data are given priority over these interests, especially if the data subject is a child Processing based on consent Processing based on consent is involved if the data subject voluntarily consents to the processing of his personal data whether comprehensively or for specific operations. The data subject if not otherwise stated in the information gives consent to the comprehensive management of his personal data Granting a consent cannot be considered voluntary if the data subject does not have a real or free choice and is unable to refuse or withdraw the consent without it being detrimental to them If processing serves multiple purposes at a time, the consent shall be granted for all data processing purposes. EQUILOR seeks to ensure that, if the declaration of consent is included in a declaration with other matters, the separate declarations shall be indicated in a clear manner and separately for each purpose If processing is not performed for the purpose of a contractual obligation, legal obligation or legitimate interest, personal data may be processed only with your explicit consent. You are entitled to withdraw your consent at any time. However, withdrawing the consent is only valid for consent-based processing, but not for processing with other legal basis. Withdrawing the consent does not involve or influence processing prior to the withdrawal For the validity of a legal declaration with the consent of an underage data subject above 16 years of age, the consent or subsequent approval of a legal representative is not required In court or official proceedings initiated for the request of the data subject, the consent of the data subject shall be presumed regarding the personal data necessary for the conduct of proceedings based on the personal data the data subject has provided in another case initiated for the request of the data subject The consent of the data subject shall be deemed to be given for the personal data that have been communicated during the public appearance of the data subject or have been provided for publication by the data subject In case of doubt, it shall be presumed that the data subject has not given its consent Processing based on legal obligation 2/13

3 Mandatory processing is performed if the types of data to be processed, the purpose and conditions of processing, the knowledgeability of the data, the length of processing and the identity of data controller is specified for EQUILOR by the law on data management as well as a local government decree Processing for the enforcement of a legitimate interest Personal data may also be processed if the processing of personal data is necessary to enforce a legitimate interest of EQUILOR or a third party and the enforcement of this interest is proportionate to limiting the right to the protection of personal data. Prior to starting the planned processing, EQUILOR shall in each case review whether the processing of personal data is strictly necessary to achieve the purpose of processing, and whether or not there are alternative solutions available that can be used to achieve the intended purpose without the need to process personal data. 4. THE DATA SUBJECT S RIGHTS AND REMEDIES REGARDING PROCESSING 4.1. The data subject may initiate the following at EQUILOR: a) access to its personal data and other information; b) correction of its personal data; c) deletion or restriction of its personal data with the exception of mandatory processing; d) carrying of his data; and e) objection to the processing of his personal data The data subject may send or present a) a verbal request or verbal objection regarding the above rights in person and via phone on the phone numbers indicated in the announcement of EQUILOR s telephone lines set up with voice recorder ; b) or a written objection to the address equilor@equilor.hu, the fax number (06 1) or by post to EQUILOR s registered office at H-1037 Budapest, Montevideo utca 2/C The data subject as well as all persons to whom the personal data have been transferred for processing shall be notified of any correction, restriction and deletion. Notification can be waived, if it proves impossible or requires disproportionate effort Right to access The data subject has the right to get feedback from the data controller on whether his personal data are being processed and, if so, he has the right to have access to personal data and the following information: a) the purposes of processing; b) categories of the personal data concerned; c) recipients or categories of recipients to whom or to which personal data have been or will be disclosed, including, in particular, third-country recipients and international organizations; d) where appropriate, the intended duration of the storage of personal data or, where this is not possible, the criteria for determining this period; e) the right of the data subject to request the data controller to rectify, delete or restrict the processing of his personal data and to object to the processing of such personal data; f) the right to lodge a complaint addressed to a supervisory authority; g) if the data have not been collected from the data subject, all available information about their source; h) the fact of automated decision making process referred to in paragraphs (1) and (4) of Article 22 of the GDPR, including profiling, and at least in such cases information about the logic used and about the relevance of such processing as well as the expected consequences thereof on the data subject Upon the request of the data subject, EQUILOR shall provide the information in writing provide the information in writing as soon as possible, but within 25 days of the submission of the request, at the latest The information is free of charge, if the person requesting the information has not yet submitted a request for information to EQUILOR for the same data scope during the calendar year for which the request is submitted; in other cases, expenses may be charged. The amount of reimbursement can also be recorded in the contract between EQUILOR and the requesting party. Any already paid reimbursement shall be refunded if it is proven that data have been processed unlawfully, or if the information request has resulted in data correction EQUILOR may only refuse to inform the data subject in cases defined by law. In this case, EQUILOR shall communicate in writing the provision of the act under which the refusal to provide information was made. Upon refusal to provide information, EQUILOR shall inform the data subject of the options to seek judicial remedy or refer to the Authority EQUILOR shall notify the Authority of any rejected requests by 31 January following the reference year Correction of personal data If some personal data are not true and correct, and EQUILOR has the true and correct data at its disposal, EQUILOR shall correct the personal data If EQUILOR fails to fulfil the data subject s request for correction, it shall inform the data subject in writing of its factual and legal reasons for the rejection of the request for correction within 30 days of the receipt of the request. Upon the rejection of a request for correction, EQUILOR shall inform the data subject of the options to seek judicial remedy or refer to the Authority Deletion of personal data The data subject shall have the right to request the controller to delete his personal data without undue delay, and the controller shall delete the personal data of the data subject without undue delay, if one of the following reasons exist: a) personal data are no longer needed for the purpose for which they were collected or otherwise processed; b) the data subject withdraws the consent being the legal basis for processing pursuant to Article 6 (1) a) or Article 9 (2) a) of the GDPR, and there is no other legal basis for data processing; 3/13

4 c) the data subject is objecting to processing based on Article 21 (1) of the GDPR and has no privileged legitimate reason for data processing, or the data subject is objecting to data processing under Article 21 (2); d) personal data have been processed unlawfully; e) personal data shall be deleted in order to fulfil a legal obligation of the European Union or by a Member State legislation to be applied to the data controller; f) the collection of personal data was made in connection with offering services that are related to the information society as referred to in Article 8 (1) of the GDPR If the purpose of data management ceases to exist, or the period of time specified in the law for the storage of the data has expired, the obligation of deletion does not apply to personal data that are contained in media that should be submitted to a public record office in accordance with the legislation on the protection of archives If EQUILOR fails to fulfil the data subject s request for deletion, it shall inform the data subject in writing of its factual and legal reasons for the denial of the request for deletion within 25 days following the receipt of the request. In case of the denial of a request for deletion, EQUILOR shall inform the data subject of the options to seek judicial remedy or refer to the Authority Restriction of processing The data subject shall have the right to request that the data controller restrict processing if one of the following occurs: a) the data subject disputes the accuracy of the personal data, in this case, the restriction concerns the period of time enabling the data controller to check the accuracy of the personal data; b) processing is unlawful and the data subject objects to the deletion of the data and instead asks to restrict their use; c) the data controller no longer needs personal data for data processing purposes, but the data subject requires them to submit, enforce, or protect legal claims; or d) the data subject has objected to processing under Article 21 (1) of the GDPR; in this case, the restriction applies to the duration of determining whether the controller's legitimate reasons prevail over the legitimate grounds of the data subject If processing is restricted according to the above, such personal data may only be processed with the exception of storage with the consent of the data subject, or for the presentation, enforcement or protection of legal rights, or for the protection of the rights of another natural or legal person, or for the important public interest of the Union or a Member State The controller shall inform the data subject at whose request the processing of data has been restricted pursuant to paragraph (1) prior to discontinuing the restriction of processing Right to data portability The data subject shall have the right to receive the personal data made available by them to a data controller in a fragmented, widely used, machine-readable format, and shall be entitled to transmit such data to another data controller without this being obstructed by the data controller to whom the personal data have been provided, if: a) the processing is based on a consent pursuant to Article 6 (1) a) or Article 9 (2) a) of the GDPR or a contract pursuant to Article 6 (1) b); and b) processing is performed automatically When exercising the right to the portability of data pursuant to Section 4.8.1, the data subject is entitled to request the direct transfer of personal data between data controllers, if this is technically feasible. The above mentioned right cannot be applied if processing is of public interest, or is required to fulfil the task performed in the framework of exercising the official powers vested on the controller, and it cannot adversely affect the rights and freedoms of others Objection to the processing of personal data The data subject has the right to object at any time to the processing of their personal data based on Article 6 (1) e) or f) for reasons relating to his own personal situation, including profiling based on the mentioned provisions. In this case, the controller may not continue to process the personal data unless the controller proves that the processing is justified by compelling legitimate grounds that prevail over the interests, rights and freedoms of the data subject, or that are related to submitting, enforcing or protecting legal claims If personal data are processed for the purposes of direct marketing, the data subject is entitled to object at any time to the processing of personal data for this purpose, including profiling, if it is related to direct marketing If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for that purpose EQUILOR shall investigate the objection within the shortest possible time, but within 15 days of the submission of the request at the latest, shall make a decision on whether or not the objection is well-founded and shall inform the requestor in writing If EQUILOR finds that the objection of the data subject is well-founded, it shall terminate processing including the recording of any further data as well as any data transfer, and shall notify of the objection and the actions it has taken on the basis of the objection all parties to whom it has transferred the personal data concerned by the objection, which parties are required to take action in order to enforce right of objection If the data subject does not agree with EQUILOR s decision, or if EQUILOR fails to meet the available timeframe, the data subject may turn to a court of law within 30 days following the communication of the decision or following the last day of the available timeframe EQUILOR may not delete the data of the data subject if processing is required by law. However, the data may not be transferred to the data recipient, if EQUILOR has agreed with the objection or the court has found that the objection is legitimate. 4/13

5 4.10. Judicial enforcement of rights Upon the breach of their rights, the data subject may apply to the Hungarian National Data Protection and Information Authority (NAIH) or may turn to court against EQUILOR. Adjudicating on the lawsuit shall be the competence of the court of law. The legal action may also be brought at the data subject s discretion before the court that has jurisdiction at the place of residence or temporary address of the data subject Privacy incident The privacy incident shall be reported to the NAIH without any undue delay and, if possible, within 72 hours after the privacy incident has become known, unless the privacy incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the incident is not reported within 72 hours, the reasons for such delay shall also be attached The processor notifies the controller after the privacy incident becomes known without any undue delay In the report mentioned in Section , at least: a) the nature of the privacy incident shall be described, including, where possible, the categories and approximate number of data subjects and the categories and the approximate number of data involved in the incident; b) the name and contact details of the data protection officer or other contact person providing additional information shall be specified; c) the potential consequences of a privacy incident shall be described; d) the measures taken or planned by the data controller to remedy the privacy incident shall be described, including, where appropriate, the measures to mitigate any adverse consequences of the privacy incident If and where it is not possible to disclose the information at the same time, they may be disclosed in parts later, without any further undue delay The controller shall record the privacy incidents, indicating the facts related to the privacy incident, its effects and remedial actions If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject about the privacy incident without delay. The information shall clearly and unambiguously describe the nature of the privacy incident and shall include at least the information and measures referred to in points b), c) and d) of Section The data subject shall not be notified as per Section if any of the below conditions are met: a) the controller has implemented appropriate technical and organisational protection measures and has applied those measures to the data involved in the privacy incident, in particular, measures e.g. the use of encryption that make it impossible for persons who are unauthorised to access personal data to interpret the data; b) after the privacy incident, the controller has taken further measures to ensure that the high risk to rights and freedoms of the data subjects referred to in Section is not likely to continue to be posed in the future; c) providing information would require disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that the data subjects are informed in an equally efficient manner Compensation for damages and for the violation of privacy rights EQUILOR shall indemnify the data subject for any damages caused through the unlawful management of their data or the violation of data protection requirements The data subject is entitled to claim compensation from EQUILOR, if EQUILOR has violated the privacy rights of the data subjects through the unlawful management of their data or the violation of data protection requirements EQUILOR is liable for the damage caused by the data processor to the data subject, and EQUILOR shall pay the compensation for the violation of privacy rights of the data subject by the data processor. EQUILOR shall be exempt from liability for the damage caused and for the payment of compensation for the violation of privacy rights, if it is able to prove that the damage or the violation of the privacy rights of the data subject arose as a result of some unavoidable cause that was beyond its control as a data controller Damages do not need to be paid and the compensation for the violation of privacy rights shall not be claimed, if the damage or the violation of the privacy rights was due to the negligent or willful actions of the data subject. 5. PERSONS AUTHORISED TO KNOW THE DATA 5.1. Only and exclusively EQUILOR and its employees to the extent necessary for the performance of their rights and obligations as set out in their employment contracts, and for the purpose of the data management as well as the persons working at EQUILOR in other legal arrangements (collectively, the employees ), and in the case of data forwarding, the recipients of the forwarded data and their employees, the data processing companies contracted by EQUILOR and their employees, including further data processing companies engaged by a data processing company in accordance with EQUILOR s instructions and their employees, may have access to the personal data managed by EQUILOR. 6. DURATION OF PROCESSING 6.1. EQUILOR shall manage the personal data provided unless otherwise provided by the act on data processing or in a provision of the Special information section for a period not exceeding 10 years from the termination of the legal relationship which is the basis of the data processing or in the absence of such a legal relationship, from the date of granting consent to the processing of data EQUILOR shall delete the data, if it is clear that the data will not be processed in the future, i.e. the purpose of processing has ceased to exist. 7. DATA PROCESSING PURSUANT TO SECTION (5) OF ARTICLE 6 OF THE PRIVACY ACT 7.1. Should EQUILOR process the personal data of the data subject pursuant to paragraph (5) of Section 6 of the Privacy Act in accordance with the provisions of the Special information section, Where personal data is recorded under the 5/13

6 data subject s consent, the controller [EQUILOR] shall - unless otherwise provided for by law - be able to process the data recorded where this is necessary: a) for compliance with a legal obligation pertaining to the controller, or b) for the purposes of legitimate interests pursued by the controller [EQUILOR] or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data, without the data subject s further consent, or after the data subject having withdrawn their consent. [Privacy Act, Section 6, paragraph (5)] Unless otherwise stated by the provisions of the Special information section on each data processing activity, for consent-based data processing, EQUILOR shall process the personal data of the data subjects pursuant to paragraph (5) of Section 6 of the Privacy Act. 8. DATA TRANSFER 8.1. Unless otherwise stated in the Special information section, EQUILOR may transfer the personal data of the data subject to the following persons based on express consent by the data subject: a) EQUILOR Alapkezelő Zrt. (registered office: H-1037 Budapest, Montevideo utca 2/C.), b) EQUILOR Fine Art Kft.(registered office: H-1037 Budapest, Montevideo utca 2/C.) and c) EQUILOR Corporate Advisory Zrt. (registered office: H-1037 Budapest, Montevideo utca 2/C.) In the framework of data transfer, the data may be transferred to a foreign country to a data controller managing data or data processor processing data in a third country. The transfer of personal data to third countries may take place in particular upon the use of international online trading systems by the data subject. Third country shall mean any state which is not an EEA State, and the transfer of data to EEA States shall be deemed as if the transfer of data was realised within the territory of Hungary. 9. DATA PROTECTION OFFICER 9.1. Contact details of the data protection officer of EQUILOR: Zsófia Torma, Dr. phone number: zsofia.torma@equilor.hu 6/13

7 II. SPECIAL INFORMATION This Special information section provides information on all facts regarding each data management activity that is unique compared to the ones described in the above General information section or that is not mentioned in the General information section. Upon any deviations between the General information section and the Special information section, provisions of the Special information section shall prevail. A) DIRECT MARKETING DIRECT MARKETING THROUGH THE COMMUNICATION OF ADVERTISING MATERIAL THROUGH DIRECT CONTACT REGISTRATION NUMBER OF PROCESSING: NAIH-73606/ To enhance EQUILOR s marketing activities by means of direct response, including the sending and presentation of communication and information materials and other forms of display to the parties concerned in order to promote the sale or usage in other ways of the products and services of EQUILOR, and - in connection with this - to popularise or increase the awareness of EQUILOR s name, brand and activities. Another purpose of the data management is the identification of the parties concerned, and the maintenance of contact with them The processing of the personal data of the data subject and the communication of the advertisements through direct contact shall be based on the prior, clear, voluntary, express consent of the data subject, given after receiving adequate information. a) name; b) address; c) address; 4. Duration of processing d) telephone number(s); e) client ID, if you are EQUILOR s customer EQUILOR manages the data of the parties concerned for a term of three years calculated from the last day of the calendar year concerned with the consent to the data management, which means that at the end of the third year following the start of the data management the data shall be deleted. 5. Records 5.1. EQUILOR keeps records of the personal data provided by the parties. Any personal data kept on record may be managed only and exclusively in accordance with this Information on Data Protection, until the deletion of the data is requested, or the declaration of consent is withdrawn, and may only be transmitted to third parties subject to the prior consent of the concerned party. 6. Withdrawal of the declaration of consent 6.1. The declaration of consent to the communication of advertisements through direct contact may be withdrawn at any time free of charge, without restrictions and without justification. In such a case EQUILOR shall no longer be entitled to send advertisements to the party concerned by direct response marketing, and the personal data of the party concerned managed by EQUILOR shall be immediately deleted from the records The declaration of withdrawal may be given by post as well as by or facsimile; however, a declaration of consent shall become effective vis-à-vis EQUILOR only if the declarant can be clearly identified. A declaration of consent is to be sent either by post to the address of EQUILOR s registered office at 1037 Budapest, Montevideo utca 2/C, or by to the address equilor@equilor.hu, or by facsimile to fax number (06 1) B) PRIZE GAME-RELATED DATABASE MANAGEMENT REGISTRATION NUMBER OF PROCESSING: NAIH-75704/ Database management related to prize games, contacts with participants in the prize game, and promotion of EQUILOR's investment services, supplementary investment services and commodity trading services by sending advertising through direct contact Pursuant to Section A) 2.1. a) name; b) address; c) address; 4. Duration of processing 4.1. Pursuant to Section A) Records 5.1. Pursuant to Section A) Withdrawal of the declaration of consent 6.1. Pursuant to Sections A) 6.1. and 6.2. d) telephone number(s); e) client ID, if you are EQUILOR s customer. 7/13

8 C) CLIENT DUE DILIGENCE MEASURES FOR THE PREVENTION AND COMBATING OF MONEY LAUNDERING AND TERRORIST FINANCING REGISTRATION NUMBER OF PROCESSING: NAIH-78361/ Fulfillment of the client due diligence obligation pursuant to Act LIII of 2017 on the prevention of money laundering and financing terrorism (hereinafter: Anti-Money Laundering Act, AMA), identification of data subjects, identity verification Processing is mandatory pursuant to the AMA. a) last name and first name; b) name at birth; c) home address, or in lieu thereof, place of residence; d) nationality; e) identification document type and number; f) for foreign data subjects, place of residence in Hungary; g) place and date of birth; h) mother s name at birth; i) the name and position of natural persons who are entitled to represent a legal person or a non-legal entity; j) data of the natural person delivery agent of a legal person or non-legal entity that are suitable for identification]; k) copy of the personal identification document (official identity card) and copy of the official home address card of Hungarian citizens, their complete data content including especially the portrait of the data subject; l) copy of the passport or personal identity card for foreign nationals (if it embodies an authorization to reside in Hungary), or a copy of the document evidencing the right of residence or a valid residence permit, their complete data content including especially the portrait of the data subject; m) copy of the documents specified in Section j) or k) of persons entitled to act on behalf of or based on the authorization of a legal person or a non-legal entity, their complete data content including especially the portrait of the data subject; n) the period of validity of the document certifying the identity of the person; o) the nature and extent of beneficial ownership pursuant to the AMA; p) document presented to verify the identity of the beneficial owner, or an extract from records accessible for EQUILOR through data retrieval, or the copies thereof; q) the fact of being a politically exposed person pursuant to the AMA, or a close relative to a politically exposed person, or another close relationship; r) important public responsibility undertaken by the data subject pursuant to the AMA; s) risk category pursuant to the AMA; t) for business relations, the type, subject matter and term of the contract; u) for transaction orders, the subject matter and amount of the order; v) circumstances of completion (place, time, manner); w) money transfers, beneficiary of securities transfers, bank account number of beneficiary; x) information about the source of funds and the copy of documents presented for the verification of such information; y) payment account number; 8/13

9 4. Duration of processing 4.1. EQUILOR shall keep all data and documents obtained during the performance of client due diligence measures and copies thereof as well as the document verifying the completion of reporting and data provision to the authority operating as the financial intelligence unit and the document verifying the suspension of completion of the transaction order and copies thereof for eight years from recording as well as reporting (suspension). The duration of the period for retaining any data, documents and copies received by EQUILOR when establishing the business relationship starts upon the termination of the business relationship. For the request of the supervising body, the financial intelligence authority, the investigating authority, the prosecution and the court, EQUILOR shall retain the above data as well as document for the period specified in the request, but for a maximum of 10 years. 5. Data transfer 5.1. Should any data, facts or circumstances arise that refer to money laundering or the financing of terrorism, EQUILOR shall forward the relevant report to the prevailing authority operating as the financial intelligence unit, at the time of the creation of this information, the organisational unit of the National Tax and Customs Authority designated in separate legislation, i.e. the Anti-Money Laundering Intelligence Office via protected electronic mail In order to perform the client due diligence specified in Sections 7-14 of the AMA, EQUILOR is entitled to make the requested data available to other service providers based on the consent of the client concerned In order to verify the data identifying the client concerned, EQUILOR as a service provider holding the client account, securities account, and securities deposit account, shall request information by disclosing the natural person identification data of client from the service provider holding the certified payment account pursuant to the AMA regarding the completion of the client identification process and the authenticity of the data provided by client in relation to the client account, securities account, and securities deposit account. If the requested service provider does not have a payment account for the client, it shall immediately delete the data sent by EQUILOR during the data request after the data request has been completed. D) PERFORMANCE OF INVESTMENT SERVICES PURSUANT TO THE ACT ON INVESTMENT FIRMS, SUPPLEMENTARY SERVICES AND COMMODITY TRADING SERVICES AS WELL AS THE PROVISION OF NON-LICENSED ACTIVITIES CARRIED OUT IN ADDITION TO THE INVESTMENTSERVICES AND SUPPLEMENTARY SERVICES 1.1. Performance of the following investment service activities licensed pursuant to paragraphs (1)-(2) of Section 5 and paragraph (1) of Section 9 of the Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (hereinafter: Act on Investment Firms), the provision of supplementary services and commodity trading services, the performance of non-licensed activities pursuant to the Act on investment firms, the identification of data subjects, the performance of contracts and transaction orders, as well as contact with the data subjects. Name of the investment service activity reception and transmission of orders [Act on Investment Firms, Section 5, Article (1), paragraph a)]. execution of orders for the Client [Act on Investment Firms, Section 5, Article (1), paragraph b)]. dealing on own account [Act on Investment Firms, Section 5, Article (1), paragraph c)]. portfolio management [Act on Investment Firms, Section 5, Article (1), paragraph d)]. investment advice [Act on Investment Firms, Section 5, Article (1), paragraph e)]. placement of financial instruments on a firm commitment basis (securities or other financial instrument) (subscription guarantee) [Act on Investment Firms, Section 5, Article (1), paragraph f)]. placement of financial instruments without a firm commitment basis (financial instruments) [Act on Investment Firms, Section 5, Article (1), paragraph g)]. Name of supplementary service holding financial instruments for safekeeping and maintenance of records, and maintaining the related client account [Act on Investment Firms, Section 5, Article (2), paragraph a)]. management of custody arrangements and of connected securities accounts; administration of printed securities and management of client accounts [Act on Investment Firms, Section 5, Article (2), paragraph b)]. offering consultation and services on capital structure, business strategy and related issues, as well as on mergers and acquisitions [Act on Investment Firms, Section 5, Article (2), paragraph d)]. trading in currency and foreign exchange as related to investment services [Act on Investment Firms, Section 5, Article (2), paragraph e)]. Official registration number NAIH-78258/2014. NAIH-78257/2014. NAIH-78256/2014. NAIH-78255/2014. NAIH-78254/2014. NAIH-78253/2014. NAIH-78252/2014. Official registration number NAIH-78169/2014. NAIH-78251/2014. NAIH-78214/2014. NAIH-78213/2014. Name of commodity trading service reception and transmission of commodity trading orders [Act on Investment Firms, Section 9, Article (1), paragraph a)]. execution of commodity trading orders for the Client [Act on Investment Firms, Section 9, Article (1), paragraph b)]. Official registration number NAIH-78212/2014. NAIH-78211/ /13

10 own-account commodity trading [Act on Investment Firms, Section 9, Article (1), paragraph c)]. Name of non-licensed activity securities lending [Act on Investment Firms, Section 8, Article (5), paragraph f)]. NAIH-78171/2014. Official registration number NAIH-78170/ Processing is based on the voluntary consent of data subjects. a) natural person identification data: - last name and first name; - last name and first name at birth; - place and date of birth; - mother s last name and first name at birth; b) nationality; c) address; d) postal address; e) type and number of personal identification document (official identity card); f) validity of personal identification document (official identity card); g) number of official home address card; h) tax ID; i) country of taxation; j) TAJ number; k) signature sample; l) client code; m) mobile phone number; n) telephone number; o) fax number; p) address; q) payment account number; r) gender. E) COMPLAINT HANDLING REGISTRATION NUMBER OF PROCESSING: NAIH-78302/ Performance of EQUILOR s obligations under Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (hereinafter: Act on Investment Firms) and Decree No. 28/2014. (VII.23.) of the National Bank of Hungary on the Rules on Complaint Management of Financial Organizations (hereinafter: decree) and the related management of the personal data of data subjects For complaint handling via phone, recording and retaining the voice record of the phone communication between EQUILOR and the client is mandatory pursuant to Article 121 of the Act on Investment Firms Taking into consideration Section (2) of Article 121 of the Act on Investment Firms, pursuant to which, upon complaint handling via phone, the phone communication between the service provider and the client is recorded by the service provider through voice recording, which is retained for five years, the legal basis for this data processing is the fulfillment of a legal obligation Personal data managed mandatorily based on the Act on Investment Firms: a) the voice of the data subject and b) the voice recording of the phone communication between EQUILOR and the client In accordance with the decree, the scope of personal data managed based on voluntary consent: a) name; b) client code; c) address, registered office, postal address; d) telephone number; e) manner of notification; f) the product or service involved in the complaint; g) the description of and reason for the complaint; h) the claim of the client/claimant; 4. Duration of processing i) the copy of documents owned by the client and necessary for justifying the complaint that are not available to EQUILOR; j) a valid power of attorney in case of clients acting through an authorised agent, and k) other data necessary for investigating and responding to the complaint The period for retaining the voice recording of the phone communication between EQUILOR and the client about complaint handling is 5 years For the period of processing additional data that are relevant for complaint handling, the provisions of the General information section shall prevail. F) DATA PROVISION FOR THE CENTRAL CREDIT INFORMATION SYSTEM REGISTRATION NUMBER OF PROCESSING: NAIH-78360/ /13

11 1.1. Pursuant to Act CXXII of 2011 on the Central Credit Information System (hereinafter: CCIS Act), the purpose of processing the data recorded in the central credit information system (hereinafter: CCIS) is to better assess creditworthiness and to fulfill the conditions of responsible lending and to reduce credit risk for the security of debtors and reference data providers Data processing is mandatory based on Section (2) of Article 5 of the CCIS Act Personal data defined in the annex to the CCIS Act (hereinafter: Annex). 4. Duration of processing 4.1. The financial company managing CCIS shall manage the reference data for five years; regarding the start of calculation of this period, Article (2) of Section 8 of the CCIS Act shall prevail. After the five years have passed, as well as upon the withdrawal of consent to further data processing, the financial company managing CCIS shall delete the reference data permanently and irrevocably The financial company managing CCIS shall delete the data received from EQUILOR within one working day of the termination of the contractual relationship At the same time with concluding the contracts that are the subject of the data provision, EQUILOR shall inform the data subject concluding the contract in writing about the fact that, at the request of the registered data subject, their data may be processed by the financial company managing CCIS after the termination of the contractual relationship as well. The registered data subject, when concluding the contract or during the existence of the contractual relationship, may request in writing through EQUILOR the financial company managing CCIS to manage their data for up to five years following the termination of the contractual relationship. The consent to the processing of data following the termination of the legal relationship may be withdrawn at any time, prior to the termination of the contractual relationship, through EQUILOR, afterwards, directly with the financial company managing CCIS. 5. Data transfer 5.1. EQUILOR as a reference data provider shall transfer the reference data pursuant to Article 1.1 and paragraphs a)-d) and k) of Article 1.2 of Chapter II of the Annex to the CCIS in writing following the conclusion of the contract on securities lending Prior to the transfer of personal data belonging to the scope of reference data into CCIS, EQUILOR shall obtain the declaration of the natural person client on the consent to the transfer of their data from CCIS by another reference data provider. This consent may be given by the natural person client at any time during the period of recording the data in the CCIS. The consent of the client concerned is not required for the transfer of the managed data based on Articles of the CCIS Act. If the client concerned does not consent to the transfer of their data from the CCIS, the CCIS shall contain the data pursuant to Article 1.1 and paragraphs a)-d) of Article 1.2 as well as Article 1.5 of Chapter II of the Annex Both the financial company managing the CCIS and EQUILOR shall keep records of the fact and time of the data transfer as well as of the scope of the data transferred. These records shall be managed until the time specified in the provisions on recording the reference data If the conditions set out in the CCIS Act are met, EQUILOR shall, within five working days, provide the reference data it manages in writing to the financial company managing the CCIS, while observing client protection rules Until the fifth working day following the subject month, EQUILOR shall transfer the data to the financial company managing the CCIS pursuant to paragraphs j) and k) of Article 1.2 and paragraphs k) and l) of Article 2.2 of Chapter II of the Annex EQUILOR shall transfer in writing to the financial company managing the CCIS the reference data pursuant to Articles of Chapter II of the Annex of the data subject that fails to meet its payment obligation undertaken in the contract that is the subject of the data provision in a manner that the amount of overdue and unpaid debts exceeds the smallest amount of minimum wage valid at the time of delay and the delay that exceeds this minimum wage amount has prevailed permanently for more than ninety days EQUILOR transfers in writing to the financial company managing the CCIS the reference data pursuant to Articles 1.1 and 1.3 of Chapter II of the Annex of the data subject who, when initiating the conclusion of the contract that is the subject of the data provision, a) gives false information, which can be proved by this document, or b) the court establishes in a final decision that a criminal offense defined by law has been committed for using a false or falsified document EQUILOR with the exception of the reference data pursuant to Section (5) of Article 6 of the CCIS Act shall inform the data subject in writing about the completion of data transfer within a maximum of five days following the transfer of reference data to the financial company managing the CCIS. 6. Special provisions regarding the data subject s rights and remedies 6.1. Anyone may ask at any reference data provider for information on what data of theirs are included in the CCIS and which reference data provider has transferred them. The registered data subject may without limitation be informed about their personal data recorded in the CCIS and the information on who accessed these data, when and under what title; no reimbursement or other fees may be charged for this purpose The registered data subject may object to the transfer of his reference data to the financial company managing the CCIS and their management by the financial company managing the CCIS and may request the correction as well as deletion of the reference data. The registered data subject may submit the objection a) to EQUILOR or b) the company managing the CCIS 11/13